MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57748e42e68e56c1f8813ed1c6a372191dfacc6488b4500f973a3aad93add2ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57748e42e68e56c1f8813ed1c6a372191dfacc6488b4500f973a3aad93add2ed
SHA3-384 hash: c8dab360a73106785e576116a123a7150c2354af37ef4820b2d2c0151e937b1851a6d9bdc036f4c323edca4164e1c4c2
SHA1 hash: cc02071297ec87b2a61c0cb613803a4daebf9a67
MD5 hash: 6951d4ec8e4f50acdd28ec384875fc0b
humanhash: bacon-neptune-connecticut-eight
File name:file
Download: download sample
Signature HijackLoader
Create hunting rule
File size:8'355'943 bytes
First seen:2026-01-28 17:38:24 UTC
Last seen:2026-01-29 05:52:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 20dd26497880c05caed9305b3c8b9109 (31 x Adware.Auslogics, 13 x HijackLoader, 5 x Adware.IObit)
ssdeep 196608:B5O2zZx/4O/DH/B3vhJMyK0Z7EPM1qjFTYGhYLgqLxj:BgwzjKyWE1qjegq9j
Threatray 21 similar samples on MalwareBazaar
TLSH T1C48633039BD34130E3EA4934A079D860AF36BD7688DA741C7CF6E25C14B96C28E36B57
TrID 70.9% (.EXE) Inno Setup installer (107240/4/30)
9.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
6.9% (.EXE) Win64 Executable (generic) (10522/11/4)
4.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-gcleaner exe HIjackLoader U UNIQ.file


Avatar
Bitsight
url: http://194.38.20.224/service

Intelligence

File Origin
# of uploads :
4
# of downloads :
153
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/0b3dad4c-0c41-48d1-9e1c-9a1d13f6f4f2/
Malware family:
n/a
ID:
1
File name:
_57748e42e68e56c1f8813ed1c6a372191dfacc6488b4500f973a3aad93add2ed.exe
Verdict:
Malicious activity
Analysis date:
2026-01-28 17:40:10 UTC
Tags:
hijackloader loader delphi
Link:
https://app.any.run/tasks/1a4f07ff-b867-4f63-8fda-861392cf6bc4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/50546/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697a499bbec9764f452fa5ce
Tags:
vmdetect dropper crypt smtp
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm crypto embarcadero_delphi fingerprint inno installer installer installer-heuristic packed soft-404
Link:
https://www.filescan.io/uploads/697a49cba57b6af70d10e764/reports/3d422fac-72a9-44e4-baeb-ed768d3d7b52/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/57748e42e68e56c1f8813ed1c6a372191dfacc6488b4500f973a3aad93add2ed
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-28T14:51:00Z UTC
Last seen:
2026-01-30T06:22:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Delf.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Greedy.sb Trojan-PSW.MSIL.Stealer.sb Trojan.Win32.Penguish.glt Trojan.Win32.Strab.sb Trojan.Win32.Inject.sb Trojan-Spy.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.Win32.Agent.sb Trojan-Banker.Win32.ClipBanker.sb Trojan.Win32.Penguish.sb
Link:
https://opentip.kaspersky.com/57748e42e68e56c1f8813ed1c6a372191dfacc6488b4500f973a3aad93add2ed/results?tab=lookup
Malware family:
IDAT Loader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5b9c6286-f846-43ee-8af2-7bfe3d323a1e
Score:
11%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/57748e42e68e56c1f8813ed1c6a372191dfacc6488b4500f973a3aad93add2ed
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57748e42e68e56c1f8813ed1c6a372191dfacc6488b4500f973a3aad93add2ed/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/57748e42e68e56c1f8813ed1c6a372191dfacc6488b4500f973a3aad93add2ed
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k52i4qxgrzlmd6ebh3i4ni3sdeo7vtderc2fad4xhi5k3e5n2lwq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
54f2ac23b773789a411dbc870422e5887ed955754e0bfeb9e0ef91f057ec46da
HijackLoader
57748e42e68e56c1f8813ed1c6a372191dfacc6488b4500f973a3aad93add2ed
HijackLoader
731a72d29320e1bf43b2004ee56583c7b9c279790c01b3569141bd8849d3afca
HijackLoader
a1432c163d00964e629cbf199b69634bf44fe9d36cae4d14bfff91326018043f
HijackLoader
b87ec51a340301428ec59e2e7d130421b3064621bdbf8e81abd72cafc715b060
HijackLoader
e2754bc0876932908aaeecb3479ee8e8d42a298268e32fc096310c520b0c02ac
HijackLoader
error
HijackLoader
+ 11 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader credential_access discovery installer loader spyware stealer
Link:
https://tria.ge/reports/260128-v7ypcsgx6h/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Browser Information Discovery
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Unpacked files
SH256 hash:
57748e42e68e56c1f8813ed1c6a372191dfacc6488b4500f973a3aad93add2ed
MD5 hash:
6951d4ec8e4f50acdd28ec384875fc0b
SHA1 hash:
cc02071297ec87b2a61c0cb613803a4daebf9a67
Link:
https://www.unpac.me/results/f1aa8c6e-7131-4db0-8f5b-fb54af84a06b/
SH256 hash:
81cc48e4d46b120902dbb298269eac12ac52f2783761014d628cbe9b74584d33
MD5 hash:
c28018664934b904c6edda46c2640ccd
SHA1 hash:
0d2f11cd90a9348eb0fa3eee59c3bed6ade6d0fc
Link:
https://www.unpac.me/results/f1aa8c6e-7131-4db0-8f5b-fb54af84a06b/
SH256 hash:
acab26841ed18a06bacd8cc206ab0a5983ce00387f073d7ddec05214ddf76269
MD5 hash:
77e54dce92b7eca5375819b7c591b22f
SHA1 hash:
1ab2ea886e52a31764632646dac60205e3a8637a
Link:
https://www.unpac.me/results/f1aa8c6e-7131-4db0-8f5b-fb54af84a06b/
SH256 hash:
923ccf448398abb669be56cbb9894ef0b4946c3ff63a0d00868af95023f206dc
MD5 hash:
b5831e3a2759603bab2e19721d2828eb
SHA1 hash:
25a3c85643f581ce5248410c00696881b65f880c
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Link:
https://www.unpac.me/results/f1aa8c6e-7131-4db0-8f5b-fb54af84a06b/
Parent samples :
57748e42e68e56c1f8813ed1c6a372191dfacc6488b4500f973a3aad93add2ed
31b717d710d3bd3925e8bcaa58f5acba3568d7523114cd4ce06443d38dd1a7d0
SH256 hash:
52c708ed0998146329af9c555bcd36134218507a3068761ee20a46bfca44ce91
MD5 hash:
2eb02e9dcda814d0ed91647ea33d8196
SHA1 hash:
4401122e3a432f23b8bd0bc9d4f09bfea00c9d5a
Link:
https://www.unpac.me/results/f1aa8c6e-7131-4db0-8f5b-fb54af84a06b/
SH256 hash:
72739c652a7aadc98d2e5db9b05f194e2340d954392e27f15f5fabbd13c651f1
MD5 hash:
d15c10722ae6dadd84b36638f0a5315a
SHA1 hash:
58e3536447a63972dd30399ae572fa3672a35a11
Link:
https://www.unpac.me/results/f1aa8c6e-7131-4db0-8f5b-fb54af84a06b/
SH256 hash:
ddca22b3a0bad041bd75b12786ac04c83e51e9bb562af4ea531830ee3d19606e
MD5 hash:
4bfdc7c419ad0c2733fdfc7e9b4e5418
SHA1 hash:
77672bdd561f63acbde6f2b414c819709d55d4c1
Link:
https://www.unpac.me/results/f1aa8c6e-7131-4db0-8f5b-fb54af84a06b/
SH256 hash:
90da5eef533d93486c25a6881aabde10e5d6ebbc42a94b8fffe57e134ee5d462
MD5 hash:
9e2f0650310f0d75b9b0bd3633a13b2d
SHA1 hash:
b337d27505a0824f456ee0450dde685ad7a9cc9b
Link:
https://www.unpac.me/results/f1aa8c6e-7131-4db0-8f5b-fb54af84a06b/
SH256 hash:
c73831ddc09efdf90b711c6adef392c1203264cd94c5d677853fc66162ab6228
MD5 hash:
0c7bb6ffc4f9cad9648e8724c7d7dac1
SHA1 hash:
eacdaff0f700f72b2ea10baa1977f30d5b82ca12
Link:
https://www.unpac.me/results/f1aa8c6e-7131-4db0-8f5b-fb54af84a06b/
SH256 hash:
abe71bd1599ed656bc634891a48b6d97569bfff305847856e745a5e4c887aaf4
MD5 hash:
1197e392d2cc0ca8d786e3f33d961c62
SHA1 hash:
faf84862ed79f481254dc3e0c6dd8d6879be1e94
Link:
https://www.unpac.me/results/f1aa8c6e-7131-4db0-8f5b-fb54af84a06b/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/f1aa8c6e-7131-4db0-8f5b-fb54af84a06b/
SH256 hash:
821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431
MD5 hash:
90fc739c83cd19766acb562c66a7d0e2
SHA1 hash:
451f385a53d5fed15e7649e7891e05f231ef549a
Link:
https://www.unpac.me/results/f1aa8c6e-7131-4db0-8f5b-fb54af84a06b/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/f1aa8c6e-7131-4db0-8f5b-fb54af84a06b/
SH256 hash:
fb4d8e7f4001010d76d903da39df670e20bf5a85da99914a2df8345786de1c2e
MD5 hash:
6d6ea598ffbe515f649f8840a0da1d3c
SHA1 hash:
62f2027bb205024799454a7f864dffd3f2b1021a
Link:
https://www.unpac.me/results/f1aa8c6e-7131-4db0-8f5b-fb54af84a06b/
SH256 hash:
08a93ad91061aeda02121ae6a4fc9ec024f612e39626c615fd5f3765957608a4
MD5 hash:
2e259afb699d02eecfa0817e791e3324
SHA1 hash:
3873b36b6b1257dfa6543124383e932d553126a4
Link:
https://www.unpac.me/results/f1aa8c6e-7131-4db0-8f5b-fb54af84a06b/
SH256 hash:
6fffb5018803e2f407912e5320e3337ca6e66a76f9c49c6676f6efd7481db5d0
MD5 hash:
bca5837c4e9615164f08c5b3c6605b65
SHA1 hash:
5f0c448c3db23c8e5c4d33d067cfff845fa01d2b
Link:
https://www.unpac.me/results/f1aa8c6e-7131-4db0-8f5b-fb54af84a06b/
SH256 hash:
a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0
MD5 hash:
cabb58bb5694f8b8269a73172c85b717
SHA1 hash:
9ed583c56385fed8e5e0757ddb2fdf025f96c807
Link:
https://www.unpac.me/results/f1aa8c6e-7131-4db0-8f5b-fb54af84a06b/
SH256 hash:
68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe
MD5 hash:
d4dae7149d6e4dab65ac554e55868e3b
SHA1 hash:
b3bea0a0a1f0a6f251bcf6a730a97acc933f269a
Link:
https://www.unpac.me/results/f1aa8c6e-7131-4db0-8f5b-fb54af84a06b/
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/57748e42e68e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57748e42e68e56c1f8813ed1c6a372191dfacc6488b4500f973a3aad93add2ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Executable exe 57748e42e68e56c1f8813ed1c6a372191dfacc6488b4500f973a3aad93add2ed

(this sample)

  
Dropped by
Gcleaner
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/50546/

Comments